Microsoft is extending their MS Office Bounty Program until the end of 2017. The program originally was only to last until June 15. However, the software giant is happy with their engagement with the security community that an extension makes sense. The program’s introduction in March includes a $500 minimum with up to $15,000 per-bug bounty. Which is for for any valid vulnerabilities and zero-day flaws in the Microsoft Office Insider slow build. Of course, this is on a full patch Windows 10 desktop operating system. Plus, there is a stipulation that Microsoft must be able to replicate it.
To sweeten the deal further, they are increasing the minimum bounty to $6,000, while the cap is still at $15,000. It is easy to assume that the the easier bugs have already been found, leaving only some harder to find ones. Increasing the bounty should help motivate the security community further. In the bounty terms available on the TechNet blog, Microsoft is specifically looking for zero-day problems including privilege escalation through Office Protected View, macro execution which bypasses security barriers designed to block macros, and remote code execution bugs, among others.
How does Microsoft Set the Payment Amounts?
If multiple submissions of the same bug report from several parties come in, the bounty only goes to the first eligible submission. However, if the duplicate report provides additional information that helps the vulnerability investigation, they may still provide a reward.
For more information on the terms of the bounty, visit the MS Office Insider bounty program page at: https://technet.microsoft.com/en-us/mt797549.aspx
